sad treacherous computing day
Alfred M. Szmidt
ams at gnu.org
Tue May 8 22:17:58 UTC 2007
> An attacker who has physical access to your machine can pull
> the disk and put his own kernel on it that will perform his
> own nefarious tasks. But if you made use of the TC module then
> I believe you can prevent him from being able to do this --
> the system will simply refuse to load his modified kernel.
> The attackar can then copy all data, install keyloggers, trojans,
> backdoors and what not, so you are SOL anyway.
That's not correct; at least, not with this hardware. If the data
is protected by TPM (e.g., encrypted with a TPM-controlled key) he
could copy it but not read it, and if the OS' TPM protection was
enabled (e.g., only able to run binaries signed with a
TPM-controlled key) then he wouldn't be able to install that
software in a way that it actually ran.
The scenario was a signed kernel. But you show a great example of
another reason why TC is evil: users cannot install local software,
since local software is not signed, it cannot be run. If a user can
insert a unsigned program that is run, they can insert trojans,
keyloggers and what not.
The best an attacker would be able to do would be to swap out the
hardware of yours with something he had control of; but even then,
the TPM in the new hardware (if it even existed) wouldn't be able
to access your data since the encryption keys in the hardware would
be different - you'd basically have to retrieve the keys out of the
TPM chip via scanning electron microscopes or some such.
In many ways, a TPM chip isn't that much different to the FSFE
membership card - you can have encryption keys in the hardware
which are pretty tough to extract, and if the user has control over
those, there are a lot of security features you can turn on. The
fact that it's inbuilt into the hardware makes it tough to tamper
I find the GPG card (or whatever it is called) quite different from
TC, it doesn't prohibit you from running things. And this is the
sole, and _only_ goal of TC, to control who can run what, via hardware
so that others cannot decide what they will do.
More information about the Discussion